Table of Contents
As a small business owner, you must be aware of the General Data Protection Regulation (GDPR). This impacts all businesses in England, both small and large. Furthermore, any breach of the GDPR by your organisation can result in a fine from the Information Commissioner’s Office (ICO). The ICO enforces GDPR compliance and provides businesses with information on how to do so.
This article will explain why your small business needs to comply with GDPR rules and why a serious breach of data protection provisions can cause problems for your company.
What Does the GDPR Require My Business to Do?
The most important data protection principles put in place by the GDPR include:
- collecting and processing personal information transparently and legally;
- your business limiting its use of personal data to situations where there is a specific and lawful purpose;
- referring your organisation to the ICO within 72 hours of any serious personal data breach;
- providing quick and convenient access to data following receipt of a subject access request (SAR);
- ensuring your business meets specific requirements when moving personal data outside of the UK; and
- importantly, not collecting more personal data than is truly necessary.
These duties are so important that the Government set up the ICO to investigate potential breaches and fine companies up to £17.5m for non-compliance with GDPR rules. Thus, the ICO act as a referee with the ability to cause severe financial and reputational damage to your organisation.
Why Should My Company Be Aware of the ICO?
In the past, the ICO has issued hefty fines on companies in England.
In this case, the ICO’s Deputy Commissioner hoped the fine would ‘send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda’.
If your business commits a serious breach of the GDPR that puts the information of customers or staff at risk, it can expect a financial penalty. Additionally, the ICO publishes its findings online (many of which are reported within the media). Therefore, non-compliant businesses should also be aware of the risk to their reputation.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Will the ICO Account for the Small Size of My Business?
The ICO will consider your company’s size when assessing any breach of GDPR rules to a limited extent. However, this is generally because smaller businesses tend to handle lesser amounts of personal data. Therefore, any breach usually affects fewer people. Excepting this, the ICO expects small businesses to apply the same effort in complying with GDPR rules as large companies.
Avoid GDPR Compliance Issues
The simplest way your business can avoid compliance issues is through complying with the GDPR. However, the GDPR is complex and lengthy, and compliance can be difficult to manage for many businesses. Some preliminary steps to limit the chance of GDPR breach include:
- investing in robust anti-virus software and installing all updates promptly;
- using strong passwords and two-factor authentication to access essential accounts;
- putting policies in place that promote good data protection and subject access request handling;
- providing a transparent and detailed privacy policy on your website; and
- ensuring that your business carries out data audits and deletes out-of-date or irrelevant information.
Key Takeaways
It is more important than ever that small businesses in England follow data protection laws. Non-compliant businesses will be fined by the ICO. However, your company can comply with the fundamental principles of the GDPR by reviewing the guidance documents on the ICO website.
If you need help ensuring your small business complies with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Your first step should be to acknowledge receipt of the SAR and request any additional information needed. After this, you should conduct the relevant search and provide the documents to the individual within the appropriate time limit.
The requirement is in place to ensure that data breaches are acted upon by the ICO (to deter businesses from taking data protection rules lightly). Failure to self-refer within 72 hours of a personal data breach is a GDPR failure and likely to incur a financial penalty from the ICO.
We appreciate your feedback – your submission has been successfully received.